Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

MasterCard is a technology company in the global payments industry. We operate the world’s fastest payments processing network, connecting consumers, financial institutions, merchants, governments and businesses in more than 210 countries and territories. MasterCard products and solutions make everyday commerce activities – such as shopping, traveling, running a business and managing finances – easier, more secure and more efficient for everyone. For nearly half a century, MasterCard has been a leader in safety and security. As payment methods continue to evolve, MasterCard is committed to advancing digital security, which includes rigorous testing for potential vulnerabilities. You can help us make our products and services even safer and earn rewards by reporting potential vulnerabilities.

The above targets are explicitly in scope and confirmed vulnerabilities found on these targets will be eligible for a reward.

Neck Short Tee Round Printed I'M Sleeve SORRY Letter Out of Scope

Short Tee I'M Letter Printed Neck SORRY Round Sleeve The following targets are explicitly out of scope and any submissions reported will be marked out of scope.

www.priceless.com/golf

www.priceless.com/travel

www.priceless.com/standup

All vulnerabilities discovered and reported on other targets (including subdomains) will be accepted, but are not eligible for a reward at this time. These submissions will be marked "Not Applicable" to prevent negative ratings.

Known Issue: The Mastercard Payment Gateway Virtual Payment Client (VPC) API that uses the MD5 based cryptogram to provide an integrity check of request parameters contains a critical vulnerability that allows limited modification of those parameters without causing a change in the cryptogram value. This vulnerability is remotely exploitable and does not require authentication. Mastercard has assessed the severity as CVSS 7.5. Mastercard recommends all customers to update their integration to use the HmacSHA256 based cryptogram, which is not vulnerable to parameter tampering. We thank Yohanes Nugroho for his support to identify this security vulnerability to protect our customers.

Additional information

Simplify Commerce Simplify Commerce is a uniquely versatile, highly scalable and incredibly simple cloud-based payments platform from MasterCard. It works for card brands that the acquirer supports. Designed with the small business owner in mind, it’s a simple, easily integrated and dynamic platform that makes it a strong choice for businesses of all sizes.

DO NOT register a new merchant account or attempt to accept real payments as this will involve parties which are out of scope. We have ensured the sandbox has the same functionality needed for testing

If a link goes outside the www.simplify.com or sandbox.simplify.com domains it is no longer in scope and should not be tested.

Simplify has two live partners Priority Payment Systems, EVO Payment Systems which are explicitly out of scope.

Sleeve Round Letter Neck Short Tee SORRY Printed I'M priceless.com Priceless Cities is a core tenet of MasterCard’s world-renowned 18 year-old Priceless marketing platform that is currently available in 112 countries and 53 languages. The platform provides exclusive curated experiences and special access in over 35 cities marketed in over 52 countries.

As a highly integrated application please note that www.priceless.com/travel and www.priceless.com/golf extend to partners and are* not* in scope.

Accounts can be self-provisioned by using your @bugcrowdninja email.

Round Sleeve Tee Neck Printed I'M SORRY Short Letter When you register you will be prompted for the first 8 numbers of your credit card. Please use 5458 3282 or 5420 9238 for those fields.

Mastercard Regional Websites The regional MasterCard sites are the company’s external websites, which include public information available to unauthenticated users. The sites include outbound links to resources not hosted on the www.mastercard.com domain. Only the core MasterCard domain is in scope and open to testing. Please be mindful of which domain / sub domain you are testing.

Credentials

Please create an account on your own using your @bugcrowdninja.com email address. Your 'bugcrowdninja' email address is your username@bugcrowdninja.com. All emails will go to the email address associated with your account.

Focus Areas

Cross Site Scripting (XSS)

Cross Site Request Forgery (CSRF)

Insecure direct object references

Injection Vulnerabilities

Authentication Vulnerabilities

Server-side Code Execution

Privilege Escalation

Significant Security Misconfiguration (when not caused by user)

Any out of the box issues which could lead to compromise or leakage of data and directly affect the confidentiality or integrity of user data of which affects user privacy.

Prohibited Testing

Do NOT conduct non-technical attacks such as social engineering, phishing or unauthorized access to infrastructure are not allowed.

Do NOT test the physical security of MasterCard offices, employees, equipment, etc.